Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Adobe has released 11 total fixes for an array of products during today’s Patch Tuesday release, including two critical patches for Acrobat and Reader.

This month’s release comes on the heels of Adobe fixing a whopping 112 vulnerabilities in its July Patch Tuesday release last month, including issues in Flash Player, Acrobat and Reader, Experience Manager and Adobe Connect.

Critical Flaws

Topping the list at this month’s Patch Tuesday updates are two critical fixes for Adobe Acrobat and Reader for Windows and MacOS. Exploitation of the vulnerabilities could lead to arbitrary code execution in the context of the current user.

CVE-2018-12808 is an out-of-bounds write flaw, while CVE-2018-12799 is an untrusted pointer dereference vulnerability, the advisory noted.

Impacted products include Acrobat DC and Acrobat Reader DC versions 2018.011.20055 and earlier; Acrobat 2017 and Acrobat Reader Classic 2017 versions 2017.011.30096 and earlier; and Acrobat DC and Acrobat Reader DC Classic 2015 versions 2015.006.30434 and earlier. All product updates have a priority rating of 2, said Adobe, meaning that “the update resolves vulnerabilities in a product that has historically been at elevated risk.”

Adobe hasn’t seen any exploits in the wild, but to avoid potential attacks, the vendor said that users should update to versions 2018.011.20058 for Acrobat DC and Reader DC; 2017.011.30099 for Acrobat and Reader Classic 2017; and 2015.006.30448 for Acrobat DC Classic 2015.

Flash Player

Also included in the release are security updates for five other vulnerabilities that are rated important, impacting Adobe Flash Player Desktop Runtime (on Windows, macOS, and Linux); Adobe Flash Player for Google Chrome (on Windows, macOS, Linux and ChromeOS); and Adobe Flash Player for Microsoft Edge and Internet Explorer 11 (for Windows 10 and 8.1), all for versions 30.0.0.134 and earlier.

The flaws (CVE-2018-12828, CVE-2018-12827, CVE-2018-12826, CVE-2018-12825 and CVE-2018-12824) could lead to arbitrary code execution – although no exploits have been discovered yet in the wild. All are information disclosure bugs, except for CVE-2018-12828, which is a privilege escalation flaw that leads to remote code execution, said Adobe.

Adobe recommended that users update to version 30.0.0.154 for all impacted versions, which all are listed as priority 2 – except Adobe Flash Player Desktop Runtime for Linux, which was given a lower priority 3, meaning the “update resolves vulnerabilities in a product that has historically not been a target for attackers.”

Other Fixes

Adobe also addressed three “moderate” vulnerabilities in its Adobe Experience Manager, versions 6.0 to 6.4.

The flaws (CVE- 2018-12806, CVE- 2018-12807, CVE- 2018-5005) are a reflected cross-site scripting (CSS) vulnerability that could result in sensitive information disclosure; one input validation bypass vulnerability that could allow unauthorized information modification; and another CSS vulnerability that also could result in sensitive information disclosure.

Finally, the company issued a patch for an important-rated insecure library-loading vulnerability in the Creative Cloud Desktop Application (CVE-2018-5003), which exists in the installer. It could lead to privilege escalation. Impacted versions include versions 4.5.0.324 and earlier, for Windows.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.